Wednesday, February 15, 2017

Fake News and Social Media


The liberation of publishing from traditional media outlets has created opportunities for individuals to practice the art of news reporting, with mixed results. For every legitimate attempt at disseminating factual information, faux reporters traffic in “fake news” in order to increase their popularity rather than report accuracy. Apple executive Tim Cook recently expressed a need for a “massive campaign” to raise awareness of this problem, as fake news has or is influencing elections in the U.S., Russia, the Ukraine, France and other countries. Combatting fake news will require not only the active participation of media outlets, but an emphasis in national education systems on critical thinking skills. 

Wapack Labs has reported on fake news in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The following organizations were cited in this report: Apple

TLP: AMBER
ACTOR TYPE: (IV)
SERIAL: TR-036-2017
COUNTRIES: US, RU, UA, FR
INDUSTRIES: ALL
REPORT DATE: 20170214

TLS 1.3 Adoption


On 5 April 2017 OpenSSL 1.1.1, which implements TLS (Transport Layer Security) 1.3 will be released. OpenSSL 1.1.1 will maintain compatibility with version 1.1.0. TLS 1.3 contains important updates to both, 0-RTT, and the removal of numerous legacy ciphers vulnerable to cryptographic attacks. Current and planned adoptions of TLS 1.3 on commonly used platforms: Cloudflare on 20 September 2016; Chrome version 56+ on 25 January 2017; Opera version 53+ on 7 February 2017; Firefox version 52+ on 17 March 2017; OpenSSL 1.1.1+ on 5 April 2017; Akamai TBD after OpenSSL release. Wireshark, the most prevalent network protocol analyzer, currently does not support TLS 1.3 with version 2.2.4. However, development is currently in progress and the status can be seen on the Wireshark Bugzilla. 

Wapack Labs has reported on encryption protocols in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: GREEN
ACTOR TYPE: (N/A)
SERIAL: TR-035-2017
COUNTRIES: ALL
INDUSTRIES: ALL
REPORT DATE: 20170214

Google Blocks .js Files


Google has long restricted Gmail file attachments ending in: .exe, .msc, and .bat for security reasons. On Monday 13 February 2017, they added blocking for .js file attachments. A JS file is mainly used to run “client side” JavaScript code on a webpage. Javascript downloaders can be used by criminals to download and execute malicious payloads such as Citadel and TeslaCrypt.

Wapack Labs has reported on JavaScript Downloaders in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The following organizations were cited in this report: Google

TLP: AMBER
ACTOR TYPE: (I&II)
SERIAL: TR-034-2017
COUNTRIES: XZ
INDUSTRIES: ALL
REPORT DATE: 20170214

Monday, February 13, 2017

Threats Associated with an Air Traffic Overhaul

Many aviation experts in the U.S. are urging the current administration to draft a plan to privatize the airline traffic control system. It is hoped that privatization would lead to modernization, which would almost certainly include greater use of information technology. We recently reported on airline “computer glitches” at airlines such as Delta, Southwest, United and Air France that were actual hacking incidents. Hackers have broken into FAA air traffic control mission-support systems in the past. The FAA has made improvements in its cybersecurity posture, but a major modernization effort would increase attack surfaces and introduce numerous new vulnerabilities.

Wapack Labs has reported on airline cyber hacking in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The following organizations were cited in this report: United, Delta, SWA, & Air France

TLP: AMBER
ACTOR TYPE: (V)
SERIAL: TR-033-2017
COUNTRIES: US, FR, CN, XZ
INDUSTRIES: Transportation, Financial
REPORT DATE: 20170210

Rebranding iSpy Keylogger: Gear Informer

On 21 December 2016 the developer of iSpy Keylogger, the successor to Hawkeye Keylogger, rebranded the malware as Gear Informer. At the same time, the developer changed his persona. Current users of iSpy Keylogger were given until 31 January 2017 to update their clients before it was shut down.

Wapack Labs has reported on iSpy Keylogger in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: GREEN
ACTOR TYPE: (N/A)
SERIAL: TR-0XX-2017
COUNTRIES: ALL
INDUSTRIES: Financial
REPORT DATE: 20170210

Russian Keylogger Persevers: Intelligence Assessment

On 24 January 2017, Wapack Labs began collecting keylogger data associated with a threat actor's email address. All of the collected data that was associated with the threat actor indicated that the keylogging campaign has not yet become operational. Metadata contained within the keylogger output indicated the threat actor is located in Western Russia. A screenshot of the threat actor, installing a cracked copy of a popular keylogger program, indicates it was obtained from a Russian underground forum. The actor makes white-supremacist references, but it is unknown if the references are indicative of the threat actor’s motivations or intended to mislead/insult malware researchers...READ MORE

Wapack Labs has reported extensively on Russian threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: IA-002-2017
COUNTRIES: XZ
INDUSTRIES: N/A
REPORT DATE: 20170210

Thursday, February 9, 2017

Maritime Shipping Concerns

Shipping companies investing in maritime port terminals may increase the risk of cyber-attacks. Such investments reduce costs associated with moving cargo, which can improve profitability. Two years of cheap credit and low fuel prices have propped up weaker carriers, lowered demand, and delayed mergers and alliances needed to resolve these concerns. An example: Hyundai Merchant bought a 20 % stake in Total Terminals International LLC from Mediterranean Shipping Co, who operates the Port of Long Beach. In addition to risks associated with integrating ship to shore cyber connections, adding another company (and its sub-contractors) to the corporate mix increases supply-chain risks.

Wapack Labs has reported on maritime shipping in the past. An archive of related reporting can be found in the Red Sky Alliance Portal.

The following organizations were cited in this report: Hyundai Merchant, Port of Long Beach, Total Terminals International LLC

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-031-2017
COUNTRIES: US, KR, ES
INDUSTRIES: Maritime
REPORT DATE: 20170208

Wednesday, February 8, 2017

Chinese Police Use of Commercial Mobile Apps

The use of common mobile apps by Chinese authorities is a double-edged sword; supporting both public services as well as enhanced surveillance activities. As an example, Chinese authorities recovered over 660 missing children in 2016 using the "Tuan Yuan" (“reunion”) app. App users near the location where a child is reported missing receive push notifications, including photos and descriptions of the lost child. Notifications are sent to app users farther and farther from the location of the disappearance if the child is not immediately found. Chinese police use of apps like Tuan Yuan, ride sharing, and even shopping apps, significantly accelerate efforts to find persons of interest.

TLP: AMBER
ACTOR TYPE: (N/A)
SERIAL: TR-028-2017
COUNTRIES: CN
INDUSTRIES: 
RERPORT DATE: 20170206

The Taxman Cometh: Selling W-2 Forms in the Darkweb


Wapack Labs has identified an actor in the Tor-based markets - we have labeled “Taxman”. Taxman is selling U.S. W-2 Forms from 2016 as well as taxpayer dates of birth. He also sells bank account information for at least one U.S. and one Australian bank, as well as Credit Reports. Taxman also sells botnets, along with installation and support for same. He is a verified vendor on several Darkweb Tor-based .onion domains and deals exclusively in Bitcoin. 

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-030-2017
COUNTRIES: US, Australia
INDUSTRIES: Financial
REPORT DATE: 20170207

Tuesday, February 7, 2017

Roughnecks v. IoT/SCADA

The oil industry is the latest to recognize the benefits – and the risks – of the Internet of Things (IoT). Increased use of automation and robotics is causing many traditional “Roughneck” jobs to be abolished. IoT-enabled (SCADA) systems control automated oil drilling sites, which drives down both labor costs and human errors, but introduces new risks. Such systems and the devices they are composed of are built for functionality and reliability, not security. “Air gaps” and other protections help, but the same service and maintenance pathways legitimate vendors use to meet service level agreements are also avenues of attack for malicious actors.

Wapack Labs has extensively reported on IoT in the past. An archive of related reporting can be found in the Red Sky Alliance Portal. 

TLP: AMBER
ACTOR TYPE: (III)
SERIAL: TR-029-2017
COUNTRIES: US
INDUSTRIES: OIL
REPORT DATE: 20170207

Seafarer Personality Assessment PII Risk


Seafarer personality assessments can be valuable in preventing accidents at sea caused by human error. Often these assessments are conducted by organizations that are not covered by the U.S. Health Insurance Portability and Accountability Act (HIPAA)’s scope, which means they do not need to be stored or protected in compliance with HIPAA standards. Should a data breach occur, not only are the seafarers at risk of fraud but insights into the seafarer’s personality could be leveraged by criminals, competitors, or hostile intelligence agencies. The 2014 Office of Personnel Management (OPM) breach is the textbook example of the perils of this type of breach. 

Wapack Labs has reported on data breach liabilities in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal. 

TLP: GREEN
ACTOR TYPE: (N/A)
SERIAL: TR-026-2017
COUNTRIES: ALL
INDUSTRIES: Maritime
REPORT DATE: 20170207

Vast Quantities of Credit Cards Being Sold in the Underground

Wapack Labs has monitored an underground forum member, who provides a web page link, where he sells debit and credit cards. The actor created a thread for card dumps and has a large base of various credit cards for sale; some belonging to a Red Sky Alliance member. He is still actively posting credit card dumps and providing a link to a web shop where the cards can be purchased. Lately, he has been selling large amounts of cards from numerous banks in the United States.

Wapack Labs has extensively reported on card dumping in the past. An archive of related reporting can be found in the Red Sky Alliance Portal. 

The following organizations were cited in this report: Red Sky Alliance member

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: TR-027-2017
COUNTRIES: US
INDUSTRIES: Financial
REPORT DATE: 20170203

Monday, February 6, 2017

The Power of Social Media: #DeleteUber


Uber failed to abide with a NYC taxi strike at JFK Airport this past weekend, which was called in response to the Trump Administration’s Executive Order on immigration targeting various Muslim countries. Social media activists staged an online strike of Uber, dubbed: #DeleteUber. The hashtag #UberRideswithHate was also used in conjunction with planned protests in Oakland, New Orleans, Los Angeles, Seattle, Hoboken, and other cities. This on-line protest resulted in Lyft, Uber’s rival, to gain customers despite Uber reducing its rates on basic service (uberX) in New York City by 15 %. In fact the price reduction lead to an Uber driver strike. Negative coverage of these events and public sentiment of Uber employees led to Uber CEO Travis Kalanick resigning from President Trump’s Business Advisory Council. 

Wapack Labs extensively reported on social media protests in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

The following organizations were cited in this report: Uber, Lyft

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: TR-025-2017
COUNTRIES: US
INDUSTRIES: Transportation, Financial
REPORT DATE: 20170203

Friday, February 3, 2017

Selling PayPal Accounts: Spanish Language Facebook Group

On 31 January 2017, Wapack Labs discovered a private Spanish language group on Facebook. This group sells compromised Mexican and German PayPal accounts for amounts between $500 and $1,000 Mexican Pesos. Wapack Labs believes, with medium to high confidence, that the administrators of the group are from Mexico; as they conduct transactions in Mexican Pesos. It is unclear at this time how they gain control of the accounts they are selling. Once a buyer pays for an account, the group provides expanded details on the account. 

Wapack Labs extensively reported on PayPal fraud schemes in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

The following organizations were cited in this report: PayPal, Facebook

TLP: AMBER
ACTOR TYPE: (N/A)
SERIAL: TR-024-2017
COUNTRIES: US (FL) & MX, DE
INDUSTRIES: Financial
REPORT DATE: 20170202

Wednesday, February 1, 2017

Update: PLA Cyber Actor & Mission

A review of academic work by members of the PLA revealed certain units publishing an increasing amount of papers on cyber security. One of these units was examined in detail to identify its personnel, expertise, location, and leadership. The results of this examination showed:
  • Personnel identified as authors of computer and network security articles.
  • Unit locations.
  • Increased spending on unit facilities.
Wapack Labs has reported extensively on Chinese cyber actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: AMBER
Actor Type: Tier IV
Serial: IA-001-2017
Country: CN
Report Date: 20170131